Risky Thinking
December, 2015

The Risky Thinking Newsletter is free for professionals working in business continuity, disaster recovery, and risk management. To get your own subscription, please visit www.RiskyThinking.com/newsletter.

In this issue…

  1. Business Continuity and Terrorism Part 1: Assessing the Threat
  2. Plan424 — The Case for a Mobile Emergency Plan
  3. Decision making in an Emergency
  4. The Risk Assessment Toolkit
  5. News Review
  6. Administrivia: copyright, copying, and subscription management

Business Continuity and Terrorism Part 1: Assessing the Threat

[This was written before the Paris attacks of 2015. I was hoping for a quiet period to publish it. Sadly, it looks increasingly unlikely that there will be one.]

The past year has seen several terrorist attacks in major cities throughout Europe and North America. Primarily these have been organized and executed by small relatively unsophisticated groups — sometimes as simple as one man with a gun — rather than large groups co-ordinated and controlled by a central organization.

One interpretation of events is that these represent a success on the part of intelligence agencies in disrupting the command and control of organizations such as al Quaeda.

An alternative view is that these groups are evolving and changing tactics. No longer are terrorist organizations attempting to organize spectacular and sophisticated attacks such as those in New York (2001) and Mumbai (2008). Instead they are concentrating on inspiring the disaffected in target countries to organize and execute attacks without central direction. There may be some assistance with the provision of weapons (Charlie Hebdo attack, Paris, 2014), but in the main part the actors involved choose their own targets and make their own plans without any central direction (London, 2005; Ottawa, 2014; Saint-Jean-sur-Richelieu 2014). There is no prior direct communication required, and the only direct role of the terrorist organization in a particular attack is to either claim responsibility or to disavow the operation after it has occurred.

The limitation for a terrorist organization in this scenario lies in its ability to attract and inspire actors with the motivation and skill-set necessary to carry out the attacks. (Fortunately any idea set which requires martyrdom in a suicide attack both severely reduces the pool of potential candidates as well as limiting their ability to learn from their mistakes).

The implication of this is that while the terrorist organization's ideas remain attractive to a small segment of the population, it will be impossible for any government to prevent all terrorist attacks. There is no practical way a government can (or should) control its population to the extent that a person cannot learn of an idea, pick up a weapon (gun, improvised explosive, knife, or speeding car) and kill someone.

So can we determine if our company or organization is at risk from a terrorist attack?

Assessing the Risk

Assessing the risk involves identifying what groups might be currently motivated to attack us, determining whether they are likely to specifically target us (as opposed to choosing us from a list of potential targets), or are just interested in attacking a target like ours, and determining what the commitment, sophistication, resources and tactics are likely to be.

The first step is to try and identify potential attackers

Potential attackers can be divided into three groups:

Let's look at these in turn.

Identifying Attackers who may specifically target us

Attackers who are likely to specifically target us are clearly the greatest problem. Security measures to prevent an attack from this group need to do more than simply persuade a potential attacker to "try elsewhere". Can we identify such groups?

If we can assume that the potential attackers represent the more violent fringe of some larger diffuse group (as is often, but not always, the case) then there is a good chance that we can. In this case the larger group is likely to contain many members who are less motivated than the potential attackers. Rather than taking up arms and attacking us with guns or explosives, this group will try threats and minor vandalism. Monitoring for mail, email, telephone or verbal threats received by staff can give an indication that we are now viewed as a potential target of a particular group.

While this seems easy to do, it is important to realize that if we are part of some larger organization we may not be aware of such threats. Members of a group may threaten a head office, but attack a branch location. Alternatively our less motivated attacker may threaten the most visible parts of an organization: the more motivated attackers may take the time to identify the most susceptible location. It is therefore important that any threats received are collated and communicated to locations which may otherwise be unaware of the threats.

We should also note that smaller groups and lone individuals are less likely to give any prior warning of their intention to attack in this way.

A special case here is if we host or hold events or meetings for third parties. The organization holding or promoting the event may receive the threats, rather than us. Fortunately it is far simpler to provide extra security for a single event than it is to maintain long term vigilance.

Identifying Attackers interested in attacking targets like ours

Our best hope with groups interested in attacking targets like ours is that we are unlikely to be the first target attacked. Monitoring recent terrorist activity can suggest what groups are active, and what types of targets are being chosen.

Prior assessment of what target categories we may represent (e.g. place where foreign nationals gather, place where religious group gathers, arms manufacturer, live animal researcher, etc.) and monitoring for attacks against locations or people in the same target category can give some indication of elevated risks.

Despite the complex scenarios beloved of television and movies, most attacks are not original. Terrorist groups learn from their mistakes, and repeat and adapt methods which work. If a particular tactic works well, we can expect to see it repeated. Thus looking at previous attacks will often given a good indication of the types of weapons and tactics which may be involved.

Identifying Attackers for whom we may be collateral damage

The only way to to identify such attackers is to consider (and talk to) your neighbors. Is your neighbor likely to be the subject of a bombing attack? Then you are too. Indeed, if your security is substantially worse than that of your neighbor, the easiest way to attack their location may be to place a bomb in yours.

Quantifying The Risks

The Global Terrorism Database (see below), maintained by the National Consortium for the Study of Terrorism and Responses to Terrorism (START) , is your friend here.

This database tracks terrorist incidents worldwide, and can be used to identify trends in your country. A quick division of the number of relevant incidents in a recent year by an estimate of the number of potential targets similar to yours will give a gross estimate of the likelihood of an attack. Remember that while governments and the media worry about all potential incidents, you only need to be concerned an incident that will affect you.

Future Trends

The number of people attracted by terrorist ideals is small in most western countries, and the number of attacks is therefore low compared with elsewhere.

However, the trends for many countries are worrying: the total number of incidents per year has more than doubled since the United States declared its War on Terror in 2001. There were 619 suicide attacks in 2013: in 2010, there were less than 200, and ten years before that there were just 37. It's easy to underestimate how quickly new threats can emerge. The sudden influence of ISIL was not predicted, and indeed, the group itself was only formed in 2006.

Conclusion

Terrorism is always changing.

At the national level it may be unpredictable, but organizations can go some way towards estimating the risks that they face based upon past events.

Unless an idea attracts very few followers, threats and acts of vandalism by non-terrorists will probably give prior warning that a threat exists, and examination of previous attacks by similar groups may give a reasonable idea of the type of tactics and weapons that may be employed.

Attacks can be completely novel, but (unless there are very few potential targets) we are still unlikely to be the first victim of such novelty.

However, the future trends are worrying. In 2003, there were 1,262 terrorist incidents worldwide. In 2013 — the last year for which figures are available — there were 11,952. With this increase in terrorism comes an increase in suicide attacks, and of attacks inspired by rather than organized by terrorist organizations, leading to a greater difficulty in defending potential targets and identifying possible terrorists.

In Part Two we will look at some of the ways your organization can mitigate the terrorist threat and handle its aftermath.

Resources

One of the problems with terrorism is disagreements about its definition. Are they freedom fighters, insurgents, or terrorists? Is an attack against soldiers who aren't on duty terrorism or merely tactics? Are all attacks against civilian targets terrorism, or do oil refineries or government offices not count?

While the effect on the victims may be the same, be aware that this definitional problem does influence statistical studies and government reports.

Plan424 — The Case for a Mobile Plan

When there was a minor earthquake in Ottawa (a place that isn't on any major fault line), the staff in the downtown office did not know what to do. So they did what their instincts told them, and tried to get out of the building as fast as possible. This wasn't what they should have done. This wasn't what their business continuity plan said they should do. But it's unlikely most staff had ever read the business continuity plan or even knew where a copy was.

Fortunately it was a small quake: the building suffered minor damage, and nobody was hurt by falling glass or debris.

But this is a major problem. People don't know what they are supposed to do and when something happens, it takes them too long to find out.

This is why we developed Plan424, a business continuity plan system designed from the outset for staff mobile phones. It puts the information people need where they can easily access it, and encourages a familiarity with the plan which a paper or web-based system cannot match.

Visit www.plan424.com/welcome to sign up for a live demo.

Decision making in an Emergency

"There's a bomb in your car park. It will go off in ten minutes." Click.

Sometimes business continuity involves reacting very rapidly to events over which you have little control…

Part of the development work for Plan424 — a customizable emergency response plan designed to be distributed to staff mobile phones — we've been looking closely at how organizations need to react to fast-paced events

In a slower moving event, the flow of information is as follows:

  1. Staff member learns of event (Hurricane Warning)
  2. Staff member notifies member of Emergency Management Team
  3. Emergency Management Team meets and decides on best course of action
  4. Instructions are issued to members of staff, contractors, etc.

There can be some problems with this arrangement, even with slow moving events:

However, this is a good information and decision making arrangement when there is sufficient time, or when organizing recovery after an event.

But the problem with this theoretical flow of information is that it does not work for more urgent events. Going back to our hypothetical car park bomb, the decisions need to be made:

How long would it take to arrange an Emergency Response Team meeting? And after they have met, how long will it take for them to make a decision?

For more rapidly moving events like these a different flow of information and decision making needs to be adopted:

We might coin this arrangement benign dictator mode. It has the advantages that:

The main difficulty that has to be overcome with this arrangement is that the Duty Officer has to have authority to make an immediate decision without waiting for management authorization, and management must back up the Duty Officer even if the decision is wrong. What if the bomb threat was thought to be a hoax and turned out to be genuine? What if the bomb wasn't in the car park but was somewhere else? What if the bomb was bigger than expected and too small an area was evacuated? What if the bomb threat proved to be a hoax and was treated as genuine?

It's really important that the Duty Officer has both the authority, training, and confidence to make a reasonable decision with the information that is available at the time without worrying about a management team with 20/20 hindsight.

But this is still slow. For certain emergencies there may not even be time to call a Security Team Duty Officer. If there is an earthquake, or a fire, staff will not even have the time required to make a phone call. In these cases, the sequence has to be:

We might call this arrangement every person for themself mode. Under these circumstances the staff member needs to know what to do immediately. There is no time to consult with a higher authority. This means that either that the staff member has to be trained, or that they must have ready access to staff emergency procedures.

To Sum Up…

The information and decision flow needs to change according to the nature of the incident. While some incidents allow time for management preparation, others need to short-circuit management approval, and for really urgent events staff must be trained and given the information to make their own decisions.

Other Observations

In writing this I made a couple of notes which I think are important, but didn't really fit into the above discussion:

The Risk Assessment Toolkit

A quick plug for our Risk Assessment Toolkit. If you've had to create or maintain a Risk Register or a Business Impact Analysis, you will know how much work that can entail.

Our Risk Assessment Toolkit is designed to make those tasks easier, as well as providing you with quantitative reports simulating the effects of disruptions, and calculating potential losses.

For more information, or to try an evaluation copy, visit www.RiskyThinking.com/rat.

News Review

The news has recently been dominated by the various terrorist attacks around the world, not all of them widely reported. Excluding the many attacks associated with civil wars and armed conflicts, these include:

When reading reports of these attacks, the questions to ask are whether your business faces a real risk from a similar attack, and if so, whether there are any practical precautions your business should take to prevent or mitigate such an attack.

In other news, floods have been damaging properties and businesses in Cumbria, in the north west of England. Like real lightning, but unlike proverbial lightning, floods do strike the same places twice. Although the flood defenses had been improved since the previous flood, they proved insufficient to cope with the extreme rainfall.

There's an economic choice to be made when building flood defenses: how big a flood should we prepare for? With the global climate change, historical data is becoming less useful as a predictor of future weather events. If you are in a flood plain, it's definitely worth considering moving before too many people (and your insurance company) realize this!

Note that the flooding caused extensive road closures, as well as a failure of the electricity supply when a substation was inundated. Even if you are on high ground, flooding can still affect you.